Mandarin Oriental Investigates Data Breach Incident

The data breach tidal wave continues: the Mandarin Oriental Hotel Group has confirmed that its hotels have been affected by a credit-card breach.

Banks told independent researcher Brian Krebs that they had noticed a pattern of fraudulent charges on customer cards that had all recently been used at Mandarin hotels. To boot, it appears that the attack happened just before Christmas, and that it likely affected most if not all of the company’s two-dozen locations.

When Krebs reached out to the luxury chain, the company confirmed it is investigating a breach caused by malware used to infect its point-of-sale systems in the US and in Europe.

“We can confirm that Mandarin Oriental has been alerted to a potential credit card breach and is currently conducting a thorough investigation to identify and resolve the issue,” the company told Krebs.

“Mandarin Oriental can confirm that the credit card systems in an isolated number of our hotels in the US and Europe have been accessed without authorization and in violation of both civil and criminal law,” it continued. “The Group has identified and removed the malware and is coordinating with credit card agencies, law enforcement authorities and forensic specialists to ensure that all necessary steps are taken to fully protect our guests and our systems across our portfolio.”

It’s a pretty rote statement. Ulf Mattsson, CTO at Stamford, CT-based data security company Protegrity, noted that rote answers are not enough. He added that while it’s important to follow PCI and privacy guidelines, it’s also necessary to go beyond them.

"I have no doubt that officials at the luxury hotel chain will say their credit card systems were PCI compliant,” he noted in an emailed comment. “Unfortunately, they have just learned the hard way that compliance does not equal security.”

Rather, there are critical questions that need to be asked. "This is no time for corporate security officers to tell themselves, 'my company is PCI-compliant. We haven’t had any breaches. We should be OK,’” he said. “What they should really be asking themselves is, 'Are we really good at protecting our most critical data or were we just lucky? What else can we do to make sure criminals don’t steal our sensitive data, not to mention our reputation, our customers’ loyalty, our employees’ job satisfaction or even our profits?'"

Krebs said that given the Mandarin’s type of clientele—rooms go for upwards of $600 per night—the cards could be worth a lot on the underground market. But, it’s not clear if the theft is from stores and restaurants inside the hotels or the front desk systems themselves.

“This was the case with hotels managed by White Lodging Services Corp., which last year disclosed a breach that impacted only restaurants and gift shops within the affected hotels,” he said.